Jumpcloud admin granted system privileges
Set up the jumpcloud integration.
このページは日本語には対応しておりません。随時翻訳に取り組んでいます。
翻訳に関してご質問やご意見ございましたら、
お気軽にご連絡ください。
Goal
Detect when a JumpCloud user grants administrative privileges on a user endpoint. This is not indicative of malicious activity, but detecting this event is valuable for auditing.
Strategy
This rule monitors JumpCloud audit logs to detect when a user triggers the @evt.name
of system_admin_grant
.
Triage and response
- Reach out to the admin making the change (
{{@usr.email}}
) to confirm that the user (@usr.name
) should have administrative privileges on the specified resource (@resource.name
). - If the change was not authorized, reverify there are no other signals from the jumpcloud admin: {{@usr.email}} and the system (
@resource.name
).